Archive for the ‘Proxy Service’ Category

(2014-04-02) Building An ADFS Lab In W2K12(R2)

Posted by Jorge on 2014-04-02

The guys from AskPFE have written an interesting series of building an ADFS lab on W2K12 and then upgrade that to ADFS on W2K12R2 .

–

How to Build Your ADFS Lab on Server 2012 Part 1

How to Build Your ADFS Lab on Server 2012, Part2: Web SSO

How to Build Your ADFS Lab on Server 2012 Part 3: ADFS Proxy

How to Build Your ADFS Lab Part4: Upgrading to Server 2012 R2

–

With regards to migrating ADFS v2.x to ADFS v3.0, also have a look at (2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Claims Based Apps, Migration, Proxy Service, Security Token Service (STS), Web Application Proxy | Leave a Comment »

(2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

Posted by Jorge on 2014-03-12

In this article Microsoft explains how to migrate from ADFS v2.x to ADFS v3.0. In this blog post I have added multiple PowerShell scripts to help you migrate as automated as possible.

–

!!! DISCLAIMER/REMARKS !!!

These scripts are freeware, you are free to distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it
These scripts are furnished "AS IS". No warranty is expressed or implied!
Always test first in lab environment to see if it meets your needs!
Use these scripts at your own risk!
I do not warrant these scripts to be fit for any purpose, use or environment
I have tried to check everything that needed to be checked, but I do not guarantee these scripts do not have bugs.
I do not guarantee these scripts will not damage or destroy your system(s), environment or whatever.
I do not accept any liability in any way if you screw up, use the scripts wrong or in any other way where damage is caused to your environment/systems!
If you do not accept these terms do not use the scripts and delete it immediately!

!!! DISCLAIMER/REMARKS !!!

–

All scripts can also be downloaded from here.

+++++++++++++++++++++++++++++++++
++++++++++++++ PREPARE ++++++++++
+++++++++++++++++++++++++++++++++

# +++[P1]+++ Create Migration Folders
#SCRIPT NAME --> "C:\TEMP\Create-Folders.ps1"
New-Item "C:\ADFS-MIG" -ItemType Directory
New-Item "C:\ADFS-MIG\Config" -ItemType Directory
New-Item "C:\ADFS-MIG\Export" -ItemType Directory
New-Item "C:\ADFS-MIG\Service" -ItemType Directory
New-Item "C:\ADFS-MIG\Web" -ItemType Directory

–

++++++++++++++++++++++++++++++++

++++++++++++ EXPORT ++++++++++++

++++++++++++++++++++++++++++++++

# +++[E1]+++ Output Federation Service Properties (On ADFS STS Only!)
#SCRIPT NAME --> "C:\ADFS-MIG\Output-Federation-Service-Properties.ps1"
If (Test-Path -Path "C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config") {
    Add-PSSnapIn Microsoft.ADFS.PowerShell
}
If (Test-Path -Path "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config") {
    Import-Module ADFS
}
# Record ADFS Service Properties
Get-Service -Name ADFSSRV | Select * | Out-File C:\ADFS-MIG\Config\ADFSService.txt
Get-WmiObject win32_service | ?{$_.name -eq "ADFSSRV"} | Select * | Out-File C:\ADFS-MIG\Config\ADFSService.txt -Append
# Record All ADFS Properties
Get-ADFSProperties | Out-File C:\ADFS-MIG\Config\ADFSProperties.txt
# Record All ADFS Endpoints
Get-ADFSEndpoint | Out-File C:\ADFS-MIG\Config\ADFSEndpoint.txt
# Record All ADFS Claim Descriptions
Get-ADFSClaimDescription | Out-File C:\ADFS-MIG\Config\ADFSClaimDescription.txt
# Record All ADFS Certificates
Get-ADFSCertificate | Out-File C:\ADFS-MIG\Config\ADFSCertificate.txt
# Record All ADFS Claims Provider Trusts
Get-ADFSClaimsProviderTrust | Out-File C:\ADFS-MIG\Config\ADFSClaimsProviderTrust.txt
# Record All ADFS Relying Party Trusts
Get-ADFSRelyingPartyTrust | Out-File C:\ADFS-MIG\Config\ADFSRelyingPartyTrust.txt
# Record All ADFS Attribute Stores
Get-ADFSAttributeStore | %{
    "##########" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    "Store Name. = " + $_.Name | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    "Store Class = " + $_.StoreTypeQualifiedName | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    "Store Config:" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    $_.Configuration.GetEnumerator() | %{
        "  * " + $_.Name + " = " + $_.Value | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
    }
    "" | Out-File C:\ADFS-MIG\Config\ADFSAttributeStore.txt -Append
}

–

# +++[E2]+++ Export ANY CA Issued Certificate In Use By ADFS (On ADFS STS Only!)
#SCRIPT NAME --> "C:\ADFS-MIG\Export-CA-Issued-Certificates-To-CER-And-PFX-From-ADFS-STS.ps1"
$privateKeyProtectionPWD1 = Read-Host "Please Specify The Password To Protect The Private Keys..."
$privateKeyProtectionPWD2 = Read-Host "Please Re-Type The Password To Protect The Private Keys..."
If ($privateKeyProtectionPWD1 -ne $privateKeyProtectionPWD2) {
    Write-Host "Passwords DO NOT Match..."
    Write-Host "Aborting..."
    BREAK
} Else {
    $certype = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx
    $ADFSCertificates = Get-ADFSCertificate
    $adfsSvcCommCert = $ADFSCertificates | ?{$_.CertificateType -eq "Service-Communications" -And $_.StoreLocation -eq "LocalMachine"}
    If (($adfsSvcCommCert | Measure-Object).Count -eq 1) {
        $adfsSvcCommCertThumbprint = $adfsSvcCommCert.Certificate.Thumbprint
        $adfsSvcCommCertName = "ADFS Service Communication Cert (STS)"

        $adfsSvcCommCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsSvcCommCertThumbprint}
        If ($adfsSvcCommCertInLocalStore.HasPrivateKey -eq $true -And $adfsSvcCommCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
            $adfsSvcCommCertBytesCER = $adfsSvcCommCertInLocalStore.export("Cert")
            [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".cer"), $adfsSvcCommCertBytesCER)
            $adfsSvcCommCertBytesPFX = $adfsSvcCommCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
            [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".pfx"), $adfsSvcCommCertBytesPFX)
        }
    }
    
    $adfsTokenSignCert = $ADFSCertificates | ?{$_.CertificateType -eq "Token-Signing" -And $_.StoreLocation -eq "LocalMachine"}
    If (($adfsTokenSignCert | Measure-Object).Count -ge 1) {
        $i = 1
        $adfsTokenSignCert | %{
            $adfsTokenSignCertThumbprint = $_.Certificate.Thumbprint
            $adfsTokenSignCertName = "ADFS Token Signing Cert (STS) (" + $i + ")"

            $adfsTokenSignCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsTokenSignCertThumbprint}
            If ($adfsTokenSignCertInLocalStore.HasPrivateKey -eq $true -And $adfsTokenSignCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
                $adfsTokenSignCertBytesCER = $adfsTokenSignCertInLocalStore.export("Cert")
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenSignCertName + ".cer"), $adfsTokenSignCertBytesCER)
                $adfsTokenSignCertBytesPFX = $adfsTokenSignCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenSignCertName + ".pfx"), $adfsTokenSignCertBytesPFX)
            }
            $i += 1
        }
    }

    $adfsTokenEncryptCert = $ADFSCertificates | ?{$_.CertificateType -eq "Token-Decrypting" -And $_.StoreLocation -eq "LocalMachine"}
    If (($adfsTokenEncryptCert | Measure-Object).Count -ge 1) {
        $j = 1
        $adfsTokenEncryptCert | %{
            $adfsTokenEncryptCertThumbprint = $_.Certificate.Thumbprint
            $adfsTokenEncryptCertName = "ADFS Token Encryption Cert (STS) (" + $j + ")"

            $adfsTokenEncryptCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsTokenEncryptCertThumbprint}
            If ($adfsTokenEncryptCertInLocalStore.HasPrivateKey -eq $true -And $adfsTokenEncryptCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
                $adfsTokenEncryptCertBytesCER = $adfsTokenEncryptCertInLocalStore.export("Cert")
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenEncryptCertName + ".cer"), $adfsTokenEncryptCertBytesCER)
                $adfsTokenEncryptCertBytesPFX = $adfsTokenEncryptCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
                [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsTokenEncryptCertName + ".pfx"), $adfsTokenEncryptCertBytesPFX)
            }
            $j += 1
        }
    }
}

–

# +++[E3]+++ Export The ADFS v2.x Configuration To XML Files (On ADFS STS Only!)
#Get PoSH Script From W2K12R2 Media (Folder: <CD>\Support\Adfs) Or Folder C:\Windows\Adfs After Installation ADFS Role
#Copy Script To Folder "C:\ADFS-MIG" On Source ADFS Server
C:\ADFS-MIG\Export-FederationConfiguration.ps1 -Path C:\ADFS-MIG\Export

–

# +++[E4]+++ Copy The ADFS v2.x Web Configuration Files (On ADFS STS And ADFS Proxy!)
#SCRIPT NAME --> "C:\ADFS-MIG\Copy-ADFS-Web-Server-Configuration-Files.ps1"
Import-Module WebAdministration
$adfsWebPath = (Get-WebApplication "adfs/ls").PhysicalPath
Copy-Item $($adfsWebPath + "\*") "C:\ADFS-MIG\Web" -Recurse

–

# +++[E5]+++ Copy The ADFS v2.x Service Configuration Files (On ADFS STS And ADFS Proxy!)
#SCRIPT NAME --> "C:\ADFS-MIG\Copy-ADFS-Web-Service-Configuration-File.ps1"
If (Test-Path -Path "C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config") {
    Copy-Item "C:\Program Files\Active Directory Federation Services 2.0\*") "C:\ADFS-MIG\Service" -Recurse
}
If (Test-Path -Path "C:\Windows\ADFS\Microsoft.IdentityServer.Servicehost.exe.config") {
    Copy-Item "C:\Windows\ADFS\*") "C:\ADFS-MIG\Service" -Recurse
}

–

# +++[E6]+++ Export ANY CA Issued Certificate In Use By ADFS (On ADFS Proxy Only!)
#SCRIPT NAME --> "C:\ADFS-MIG\Export-CA-Issued-Certificates-To-CER-And-PFX-From-ADFS-PRX.ps1"
$privateKeyProtectionPWD1 = Read-Host "Please Specify The Password To Protect The Private Keys..."
$privateKeyProtectionPWD2 = Read-Host "Please Re-Type The Password To Protect The Private Keys..."
If ($privateKeyProtectionPWD1 -ne $privateKeyProtectionPWD2) {
    Write-Host "Passwords DO NOT Match..."
    Write-Host "Aborting..."
    BREAK
} Else {
    $certype = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx
    $adfsSvcCommCertThumbprint = (Get-WebBinding "Default Web Site" -protocol https).certificateHash
    $adfsSvcCommCertName = "ADFS Service Communication Cert (PRX)"
    $adfsSvcCommCertInLocalStore = Get-ChildItem -path cert:\LocalMachine\My | ?{$_.Thumbprint -eq $adfsSvcCommCertThumbprint}
    If ($adfsSvcCommCertInLocalStore.HasPrivateKey -eq $true -And $adfsSvcCommCertInLocalStore.PrivateKey.CspKeyContainerInfo.Exportable -eq $true) {
        $adfsSvcCommCertBytesCER = $adfsSvcCommCertInLocalStore.export("Cert")
        [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".cer"), $adfsSvcCommCertBytesCER)
        $adfsSvcCommCertBytesPFX = $adfsSvcCommCertInLocalStore.export($certype, $privateKeyProtectionPWD1)
        [system.IO.file]::WriteAllBytes($("C:\ADFS-MIG\Config\" + $adfsSvcCommCertName + ".pfx"), $adfsSvcCommCertBytesPFX)
    }
}

–

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++ CREATE/JOIN/CONFIGURE ADFS ++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

# +++[C1]+++ Create ADFS Farm Using WID And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-WID-Self-Signed-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C2]+++ Create ADFS Farm Using WID And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-WID-CA-Issued-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint -SigningCertificateThumbprint $adfsTokenSignCertThumbprint -DecryptionCertificateThumbprint $adfsTokenEncryptCertThumbprint | FL

–

# +++[C3]+++ Create ADFS Farm Using SQL And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-SQL-Self-Signed-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -SQLConnectionString $sqlConnectionString -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C4]+++ Create ADFS Farm Using SQL And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Create-ADFS-Farm-SQL-CA-Issued-Certs.ps1"
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsSvcName = Read-Host "Please Specify The Display Name Of The Federation Service..."
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
$adfsTokenSignCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Token Signing Certificate"
$adfsTokenEncryptCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Token Encryption Certificate"
Add-WindowsFeature ADFS-Federation
Install-AdfsFarm -OverwriteConfiguration:$true -FederationServiceName $adfsSvcFQDN -FederationServiceDisplayName $adfsSvcName -ServiceAccountCredential $adfsSvcCreds -SQLConnectionString $sqlConnectionString -CertificateThumbprint $adfsSvcCommCertThumbprint -SigningCertificateThumbprint $adfsTokenSignCertThumbprint -DecryptionCertificateThumbprint $adfsTokenEncryptCertThumbprint | FL

–

# +++[C5]+++ Join ADFS Farm Using WID And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-WID-Self-Signed-Certs.ps1"
$adfsSvcCreds = Get-Credential
$adfsPrimaryServer = Read-Host "Please Specify The FQDN Of The Primary Server..."
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -PrimaryComputerName $adfsPrimaryServer -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C6]+++ Join ADFS Farm Using WID And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-WID-CA-Issued-Certs.ps1"
$adfsSvcCreds = Get-Credential
$adfsPrimaryServer = Read-Host "Please Specify The FQDN Of The Primary Server..."
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -PrimaryComputerName $adfsPrimaryServer -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C7]+++ Join ADFS Farm Using SQL And ADFS Managed Self-Signed Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-SQL-Self-Signed-Certs.ps1"
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -SQLConnectionString $sqlConnectionString -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C8]+++ Join ADFS Farm Using SQL And CA Issued Certificates
#SCRIPT NAME --> "C:\ADFS-MIG\Join-ADFS-Farm-SQL-CA-Issued-Certs.ps1"
$adfsSvcCreds = Get-Credential
$sqlServerInstance = Read-Host "Please Specify The FQDN Of The SQL Server And SQL Instance..."
$sqlConnectionString = "Data Source=$sqlServerInstance;Initial Catalog=AdfsConfiguration;Integrated Security=True"
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Add-WindowsFeature ADFS-Federation
Add-AdfsFarmNode -SQLConnectionString $sqlConnectionString -ServiceAccountCredential $adfsSvcCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C9]+++ Install And Configure Web Application Proxy
#SCRIPT NAME --> "C:\ADFS-MIG\Install-And-Configure-Web-Application-Proxy.ps1"
Add-WindowsFeature Web-Application-Proxy -IncludeManagementTools
$adfsSvcFQDN = Read-Host "Please Specify The FQDN Of The Federation Service..."
$adfsAdminCreds = Get-Credential
Get-ChildItem -path cert:\LocalMachine\My | FT Thumbprint,Subject,FriendlyName -Autosize -Wrap
$adfsSvcCommCertThumbprint = Read-Host "Please Specify The Thumbprint Of The Service Communication Certificate"
Install-WebApplicationProxy -FederationServiceName $adfsSvcFQDN -FederationServiceTrustCredential $adfsAdminCreds -CertificateThumbprint $adfsSvcCommCertThumbprint | FL

–

# +++[C10]+++ Add/Publish Web Applications Through Web Application Proxy
Get-WebApplicationProxyApplication --> http://technet.microsoft.com/en-us/library/dn283413.aspx
Get-WebApplicationProxyAvailableADFSRelyingParty --> http://technet.microsoft.com/en-us/library/dn283412.aspx
Add-WebApplicationProxyApplication --> http://technet.microsoft.com/en-us/library/dn283409.aspx

–

++++++++++++++++++++++++++++++++

++++++++++++ IMPORT ++++++++++++

++++++++++++++++++++++++++++++++

# +++[I1]+++ Import ANY CA Issued Certificate In Use By ADFS (On ADFS STS Only!) (Only Works On W2K12R2!!!)
#SCRIPT NAME --> "C:\ADFS-MIG\Import-CA-Issued-Certificates-Into-ADFS-STS-Local-Cert-Store.ps1"
$privateKeyProtectionPWD = ConvertTo-SecureString -String $(Read-Host "Please Specify The Password Protecting The Private Keys...") -Force –AsPlainText
$adfsSvcCommCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Service Communication Cert (STS).pfx'
If (($adfsSvcCommCertPFXFile | Measure-Object).Count -ge 1) {
    Import-PfxCertificate -FilePath $($adfsSvcCommCertPFXFile.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD
}
$adfsTokenSignCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Token Signing Cert (STS)*.pfx'
If (($adfsTokenSignCertPFXFile | Measure-Object).Count -ge 1) {
    $adfsTokenSignCertPFXFile | %{Import-PfxCertificate -FilePath $($_.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD}
}
$adfsTokenEncryptCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Token Encryption Cert (STS)*.pfx'
If (($adfsTokenEncryptCertPFXFile | Measure-Object).Count -ge 1) {
    $adfsTokenEncryptCertPFXFile | %{Import-PfxCertificate $($_.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD}
}

–

# +++[I2]+++ Import The ADFS v2.x Configuration From The XML Files Into ADFS v3.0
#Get PoSH Script From W2K12R2 Media (Folder: <CD>\Support\Adfs) Or Folder C:\Windows\Adfs After Installation ADFS Role
#Copy Script To Folder "C:\ADFS-MIG" On Source ADFS Server
C:\ADFS-MIG\Import-FederationConfiguration.ps1 -Path C:\ADFS-MIG\Export

–

# +++[I3]+++ Import ANY CA Issued Certificate In Use By ADFS (On ADFS Proxy/WAP Only!) (Only Works On W2K12R2!!!)
#SCRIPT NAME --> "C:\ADFS-MIG\Import-CA-Issued-Certificates-Into-ADFS-PRX-Local-Cert-Store.ps1"
$privateKeyProtectionPWD = ConvertTo-SecureString -String $(Read-Host "Please Specify The Password Protecting The Private Keys...") -Force –AsPlainText
$adfsSvcCommCertPFXFile = Get-ChildItem -Path 'C:\ADFS-MIG\Config' -Filter 'ADFS Service Communication Cert (PRX).pfx'
If (($adfsSvcCommCertPFXFile | Measure-Object).Count -ge 1) {
    Import-PfxCertificate -FilePath $($adfsSvcCommCertPFXFile.FullName) -CertStoreLocation 'cert:\localMachine\my' –Exportable -Password $privateKeyProtectionPWD
}

–

A while back I also found a blog post with PowerShell script to quickly deploy both ADFS v3.0 and WAP. You can find that blog post here.

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER:

https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

#########

http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Certificates, Farm, Federation Trusts, Migration, Proxy Service, Security Token Service (STS) | 6 Comments »

(2013-07-19) Required Claims/Permissions To Join An ADFS Proxy To The ADFS Federation Service

Posted by Jorge on 2013-07-19

In this blog post I explain how to install and configure the ADFS Proxy server in ADFS v2.0 (this may also apply to later ADFS versions). When joining the ADFS Proxy server to the federation service you need credentials to achieve that. If you are using the default configuration, you can either use the ADFS service account credentials or some AD user account that has local administrator equivalent permissions. With regards to the default configuration I’m focusing on the “AddProxyAuthorizationRules” in the federation service (Figure 1) and the “Acceptance Transform Rules” in the Active Directory Claims Provider trust (Figure 2).

Figure 1: The Default ‘AddProxyAuthorizationRules’ In The Federation Service

–

The ‘AddProxyAuthorizationRules’ in the federation service determine which claims are required to be authorized to join an ADFS Proxy server to the federation. You could even consider the ‘AddProxyAuthorizationRules’ to be the Issuance Authorization Rules of a special internal relying party trust.

Figure 2: Default List Of Acceptance Transform Rules For The Default Claims Provider Trust (AD) In ADFS v2.0

–

The ‘Acceptance Transform Rules’ are the rules that determine the claims in the security token for the federation service itself after processing the claims in the incoming/received security token from a downstream STS.

–

In this blog post I explain the bare minimum required claims rules in the Active Directory Claims Provider trust to be able to use ADFS at all as a security token service (STS).

–

Now based upon those minimum required claims rules in the Active Directory Claims Provider trust lets try to join an ADFS Proxy server to the federation service!

–

If you want to join the ADFS Proxy server to the federation service through the command line you can use the following steps:

Open a Command Prompt window
Navigate to “C:\Program Files\Active Directory Federation Services 2.0”
Type And Execute: START /WAIT FSPCONFIGWIZARD.EXE /HostName <Federation Service FQDN> /UserName <Federation Service Service Account> /Password <Federation Service Service Account Password>

–

After starting the federation service proxy wizard, you will see the following screen.

Figure 3: The “Welcome” Screen Of The Federation Service Proxy Wizard

–

After clicking “Next >” you will see the following screen.

Figure 4: The “Specify Federation Service Name” Screen Of The Federation Service Proxy Wizard

–

After specifying the FQDN of the federation service and clicking “Test Connection” you will most likely see the same message stating that connection was successful. Click “OK”. After clicking “Next >” you will see the following screen.

Figure 5: The “Enter Credentials” Screen Of The Federation Service Proxy Wizard

–

After specifying credentials that have local administrator equivalent permissions on the STS servers and clicking “OK” you may see the following screen.

Figure 6: The Error That Mentions You Do Not Have The Correct Credentials To Perform The Join Operation

–

Hey, wazzup!?

–

Let’s try to analyze this!

–

If you start the Event Viewer MMC on the ADFS Proxy server and navigate to the Event Log ADFS 2.0 Admin Event Log (Event Viewer –> Applications And Services Log –> AD FS 2.0 –> Admin) you will see something similar to…

Figure 7: An “Access Denied” Error On The ADFS Proxy server

–

If you start the Event Viewer MMC on the ADFS STS server and navigate to the Event Log Security Event Log (Event Viewer –> Windows Logs) you will see something similar if you have auditing configured (see this blog post) (it may look different if you have more claims rules being processed in the Acceptance Transform Rules of the Active Directory Claims Provider trust!)…

Figure 8: An “Access Denied” Error On The ADFS STS server

–

Figure 9: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

–

More Details:

More information for the event entry with instance id a2e78f87-a14a-4d28-8086-fd4e12aceeae. There may be more events with the same instance id with more information.

Instance id:
a2e78f87-a14a-4d28-8086-fd4e12aceeae

Caller identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
S-1-5-21-1302963225-1802291915-4189581584-500
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2013-07-18T23:00:39.506Z
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

–

So, the conclusion here is that we are missing claims to be authorized to join the ADFS Proxy Server to the federation service.

If you look at figure 1 you will see three claims rules exist for the “AddProxyAuthorizationRules”, being:

Permit join if the security token contains a groupsid claim with value “S-1-5-32-544” (which equals to the local administrators group)
Permit join if the security token contains the primarysid of the ADFS service account (assuming it equals to “isProxyTrustManagerSid”)
Permit join if….(can understand this one unfortunately)

–

Hey that’s strange! The AD user account I’m using is a local administrator on the ADFS STS server and still I cannot join the ADFS Proxy server. I did not change the default “AddProxyAuthorizationRules”, but I did change the default Acceptance Transform Rules Of The Active Directory Claims Provider Trust to have the bare minimal claims rules.

So based upon this analysis it looks that my required groupsid claim is not included in the security token as shown in figure 9.

Therefore, to be able to use an AD user account with local administrator equivalent permissions on the ADFS STS servers you MUST have the following claims rule in place in addition to the bare minimum claims rules.

Figure 10: The Claims Rule In The Active Directory Claims Provider Trust Acceptance Transform Rules That Passes-Through The Group SIDs

–

More Details:

@RuleTemplate = "PassThroughClaims"

@RuleName = "Pass through all Group SID claims"

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]

=> issue(claim = c);

–

So after adding this claims rule to the Active Directory Claims Provider Trust Acceptance Transform Rules I retried the join of the ADFS Proxy server to the federation service and now it succeeded!

Figure 11: The “Ready To Apply Settings” Screen Confirming The Credentials Were Validated And Correct

–

Figure 12: The Event In The ADFS 2.0/Admin Event Log Acknowledging The Establishment Of The Federation Trust

–

Figure 13: An Event In The Security Event Log Of The ADFS STS Server Stating A Security Token Was Successfully Issued

–

Figure 14: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

–

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Instance id:
0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4

Issued identity:
http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid
3949416d-2770-46e6-8109-c70d929c2abf
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
2013-07-18T23:45:12.790Z
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
–

Figure 15: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

–

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

S-1-5-2

Figure 16: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

–

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Figure 17: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

–

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Figure 18: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

–

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Figure 19: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

–

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

Figure 20: The Resulting Claims In The Security Token After Processing The Acceptance Transform Rules Of The Active Directory Claims Provider Trust

–

More Details:

More information for the event entry with instance id 0ddf5d2e-8b4b-46ae-aa4d-89276795e1e4. There may be more events with the same instance id with more information.

–

Posted in Active Directory Federation Services (ADFS), Proxy Service | Leave a Comment »

(2013-07-06) Uninstalling An ADFS v2.0 PRX Server

Posted by Jorge on 2013-07-06

In the past I described how to install an ADFS Proxy (PRX) Server in this post. This post will focus on UNINSTALLING an ADFS PRX Server.

–

First you need to uninstall ADFS v2.0

Open a Command Prompt Window
Open APPWIZ.CPL
Click View Installed Updates and type ACTIVE into the Search Programs and Features search bar.
Select Active Directory Federation Services 2.0 and click Uninstall.

–

Secondly, uninstall IIS as described in the section “Restore IIS on a federation server or federation server proxy computer” from How to restore IIS and clean up Active Directory when you uninstall Active Directory Federation Services 2.0

–

And last but not least, delete the CA issued certificate from the computer’s personal store if you do not intend to re-use it

Open a Command Prompt Window
Open MMC
Add the Snap-in called “Certificates” and focus on the local computer
Navigate to the personal store of the computer, select the certificate that contains the name/FQDN of the federation service in the subject or SAN and delete it

–

Posted in Active Directory Federation Services (ADFS), Proxy Service | Leave a Comment »

(2012-05-11) Installing And Configuring ADFS v2 As A PRX Server

Posted by Jorge on 2012-05-11

With this post I want to show you the ADFS v2.0 PRX installation procedure that I used in my test/demo environment. The installation binaries can be downloaded from the internet for W2K8/W2K8R2 from here, and I also downloaded (at the time of writing) the latest update rollup for ADFS from here. I followed the following installation steps.

After downloading the ADFS installation binaries, double-click it. Then click on “Next >”.

Figure 1: The Active Directory Federation Services v2.0 Setup Wizard

–

Check the “I accept the terms in the License Agreement” after reading and accepting the EULA for ADFS v2.0, and then click on “Next >”.

Figure 2: The Active Directory Federation Services v2.0 Setup Wizard – The EULA

–

We need to start with the installation of the federation proxy server. In terms of locating and securing the PRX server, you do not need to consider it as an ADFS STS server. The purpose of the ADFS PRX is to locate it on insecure networks or locate it facing insecure networks (e.g. internet). The ADFS PRX is basically a traffic agent without any authority. It just passes security tokens from the ADFS STS to the user and vice versa and allows the automatic exchange of metadata to occur when possible. The ADFS PRX server is not able/allowed to generate any security token with any claim like an ADFS STS server. Therefore, anyone in control of the PRX server is not able to do anything.

The ADFS PRX server does not need to be domain joined, but it could be if you want to leverage centralized administration and policy management through AD.

–

Because we need an PRX server, select the federation proxy server option.

Figure 3: The Active Directory Federation Services v2.0 Setup Wizard – Installing An PRX Server

–

Click on “Next >”.

Figure 4: The Active Directory Federation Services v2.0 Setup Wizard – Prerequisite Software

–

Now, just be patient.

Figure 5: The Active Directory Federation Services v2.0 Setup Wizard – Installation Of Binaries In Progress

–

Make sure to have the option “Start the AD FS 2.0 Federation Server Proxy Configuration Wizard when this wizard closes” checked and click on “Finish”.

Figure 6: The Active Directory Federation Services v2.0 Setup Wizard – Installation Finished

–

If IIS was not pre-installed and/or if the default website was not already configured with a SSL certificate, the following error will appear. Read it carefully and click on “OK”. It is recommended to FIRST get a certificate and then connect the ADFS PRX server to the ADFS STS server(s).

Figure 7: Error When SSL Has Not Been Configured On The Default Website

–

If the ADFS PRX server is domain joined, you can request an SSL certificate using the next steps. If the ADFS PRX server is operating as non-domain joined. You will need to do an offline certificate request and then manually deploy it to ADFS PRX server(s).

For now I’m assuming it is domain joined as that is easier to describe! Smile

–

For more information about the certificates in use by ADFS see:

–

In this case I’m going to use certificate from the CA in my test/demo environment.

–

Start the Certificates MMC on the ADFS PRX server and target the local computer. To request a certificate navigate to “Certificates (Local Computer)” –> Personal –> Certificates. Right-click the last one and then “All Tasks” –> “Request New Certificate”.

Figure 8: Requesting A New Certificate

–

Click on “Next >”.

Figure 9: Certificate Enrollment – Before You Begin

–

In this select the “Active Directory Enrollment Policy” and click on “Next”.

Figure 10: Certificate Enrollment – Certificate Enrollment Policy

–

For this certificate you can leverage the “Web Server” certificate template. Select the “Web Server” certificate template, click on details to expand for more information and click on “Properties”.

Figure 11: Selecting The “Web Server” Certificate Template

–

For the Service Communication (SSL) Certificate, targeting the “Subject” TAB, provide the service name (e.g. FS.ADCORP.LAB) as the subject name (Type = Common Name) and as the alternate name (Type = DNS). The ADFS PRX server must also be reachable using the ADFS federation service name (e.g. FS.ADCORP.LAB). In addition to that, the ADFS PRX server itself must be able to access the ADFS STS server(s) using the exact same ADFS federation service name (e.g. FS.ADCORP.LAB). How you achieve that really depends on the DNS name resolution setup internally, in the DMZ and on the internet. But, that’s a totally different story I hope to describe another day. Unfortunately, today is not that day.

Figure 12a: Service Communication (SSL) Certificate – Subject Name And Alternate Name

–

For the Service Communication (SSL) Certificate, targeting the “General” TAB, provide the friendly name (e.g. Service Communication Cert For ADFS-PRX) and the description.

Figure 12b: Service Communication (SSL) Certificate – Friendly Name And Description

–

For the Service Communication (SSL) Certificate, targeting the “Private Key” TAB, configure the private key to be exportable. Click “OK” when done.

Figure 12c: Service Communication (SSL) Certificate – Configuring Private Key To Be Exportable

–

Click on “Enroll” to actually enroll the certificate.

Figure 13: Enrolling The Certificate

–

Click on “Finish”

Figure 14: Finishing The Certificate Enrollment

–

Now by using the IIS MMC you need to make sure the default website has an HTTPS (SSL) binding (port 443) and also uses the just enrolled SSL certificate.

Figure 15: HTTPS (Port 443) Binding Using The Service Communication Certificate For The ADFS-PRX

–

Also make sure to enforce SSL as shown in the picture below.

Figure 16: Enforcing The Use Of SSL For The Default Website

–

Now from the Start Menu, start the AD FS 2.0 Federation Server Proxy Configuration Wizard and then click on “Next >”.

Figure 17: The Active Directory Federation Server Proxy Configuration Wizard

–

Type the federation service name (e.g. FS.ADCORP.LAB) that was also used when installing the ADFS STS servers

Figure 18: Specifying The Federation Service Name

–

To make sure you can connect the ADFS PRX server to the ADFS STS server(s), you should first test the connection by clicking on “Test Connection”. If the connection if successful you will see the acknowledgement an then click on “OK”. If not, you will receive an error. Click on “Next >”.

Figure 19: Testing The Connection From The ADFS PRX Server To The ADFS STS Server (s)

–

To actually connect the ADFS PRX to the ADFS STS servers, you need to provide credentials. Those credentials can either be the credentials for the ADFS service account used on the ADFS STS servers, or be any account that has local administrative permissions on the ADFS STS server(s). Therefore, enter credentials and click on “OK”.

Figure 20: Specifying The Credentials To Connect The ADFS PRX Server To The ADFS STS Server(s)

–

When successful, the following will appear. Click on “Next >” to configure the local ADFS PRX server.

Figure 21: Configuration Summary Of The Local ADFS PRX Server

–

The ADFS PRX is being configured. Be patient.

Figure 22: Actual Configuration Of The Local ADFS PRX Server

–

When the actual configuration is done, click on “Close”.

Figure 23: The Configuration Of The Local ADFS PRX Server Finished

–

Now it is time to update the ADFS role. After downloading the ADFS rollup package, extract it and double-click the MSU file. Then click “YES”.

Figure 24: Confirming The Installation Of The ADFS Rollup Package 1

–

Click on “Restart Now” to restart the server.

Figure 25: Finalizing The Installation Of The ADFS Rollup Package

–

To validate the working of your ADFS deployment, you can target the following URLs (of course replace this with your own federation service name!!!):

–

[1] –> https://fs.adcorp.lab/adfs/ls/IdPInitiatedSignOn.aspx

First it will perform Home Realm Discovery (HRD) if you have more than one Claims Provider Trust configured. I this case I do, so that’s why it happened.

Figure 26: Testing ADFS Deployment – Home Realm Discovery

–

As soon as you click on “continue to sign in” it will ask you to provide credentials. This does assume you are not using Windows Integrated Authentication (in that case the federation service FQDN is NOT added to the Local Intranet Zone in IE). The collection of the credentials is either Windows based of forms based, whatever you have configured. On a ADFS STS it most likely is Windows based as that is the default! If you want to use Windows Integrated Authentication you must add the federation service FQDN to the Local Intranet Zone in IE. On a PRX forms based is the default

Figure 27: Testing ADFS Deployment – Providing Credentials

–

Figure 28: Testing ADFS Deployment – Successful Logon

–

[2] –> https://fs.adcorp.lab/FederationMetadata/2007-06/FederationMetadata.xml

As soon as you enter the URL and hit ENTER, you might end up in seeing a BLANK page. To actually see the federation metadata, click IN ADDITION on the “Compatibility View” button in IE. You will then see the following.

Figure 29: Testing ADFS Deployment – Federation Metadata

–

With regards to ADFS, also see the following resource with lots of information:

–

ADFS Related Videos:

–

Posted in Active Directory Federation Services (ADFS), Proxy Service | 4 Comments »

Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

For Ad Free Blog

Social Media

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Proxy Service’ Category

(2014-04-02) Building An ADFS Lab In W2K12(R2)

(2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

(2013-07-19) Required Claims/Permissions To Join An ADFS Proxy To The ADFS Federation Service

(2013-07-06) Uninstalling An ADFS v2.0 PRX Server

(2012-05-11) Installing And Configuring ADFS v2 As A PRX Server

Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

For Ad Free Blog

Social Media

Profiles

Statistics

Other Cool Blogs

Interesting Places To Visit

The Knowledge Archives

RSS Links

Email Subscription

Categories

Archive for the ‘Proxy Service’ Category

(2014-04-02) Building An ADFS Lab In W2K12(R2)

Share this:

(2014-03-12) Additional PowerShell Scripts For Migrating ADFS v2.x To ADFS v3.0

Share this:

(2013-07-19) Required Claims/Permissions To Join An ADFS Proxy To The ADFS Federation Service

Share this:

(2013-07-06) Uninstalling An ADFS v2.0 PRX Server

Share this:

(2012-05-11) Installing And Configuring ADFS v2 As A PRX Server

Share this: